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Abstract  — Tactical  networks  must  select  service  providers  to 
meet  service  requirements  of  an  operation  while  facing  resource 
constraints  and  high  security  vulnerability.  In  such  an 
environment  nodes  provide  services  to  support  various 
operations  and/  may  request  services  to  support  the  operations  as 
well.  We  formulate  the  problem  of  service  composition  and 
service  binding  as  a  multi-objective  optimization  (MOO) 
problem,  minimizing  the  service  cost,  while  maximizing  the 
quality  of  service  (QoS)  and  quality  of  information  (Qol).  The 
MOO  problem  is  essentially  a  node-to-service  assignment 
problem  such  that  by  dynamically  formulating  service 
composition,  and  selecting  the  right  nodes  to  provide  requested 
services,  the  network  can  support  concurrent  operations  while 
achieving  multiple  system  objectives.  We  develop  a  trust-based 
service  composition  and  binding  protocol.  We  demonstrate  that 
the  trust-based  scheme  outperforms  the  counterpart  non-trust- 
based  scheme.  Furthermore,  our  trust-based  scheme  can 
effectively  penalize  malicious  nodes  performing  self-promotion 
attacks,  thus  filtering  out  malicious  nodes  and  can  ultimately  lead 
to  high  user  satisfaction. 

Keywords — service  composition,  tactical  networks,  trust,  multi¬ 
objective  optimization. 

I.  Introduction 

Tactical  networks  must  support  concurrent  operations,  such 
as  target  tracking,  field  surveillance,  target  classification,  and 
trajectory  prediction.  Applying  service  composition  techniques 
[9]  to  compose  services  can  effectively  simplify 
implementation  details  while  efficiently  utilizing  available 
resources.  While  dynamic  service  composition  has  been 
extensively  studied  for  web  services,  little  is  found  for  tactical 
networks  because  a  tactical  operation  failure  is  often  much 
more  severe  than  a  web  service  failure.  Moreover,  most 
studies  focus  on  maximizing  quality-of-service  (QoS)  of  a 
single  service  composition  request  without  considering 
resource  constraints  when  concurrent  service  composition 
requests  exist,  which  necessitates  multiple  system  goals  to  be 
considered. 

This  paper  considers  dynamic  service  composition  and 
service  binding  in  a  tactical  network  environment  in  which 
nodes  provide  services  to  support  tactical  mission  operations, 
and  also  request  services  themselves.  In  the  literature  [11],  the 


dynamic  service  composition  and  binding  problem  comes  in 
two  forms:  (a)  composition  by  planning  in  which  a  goal  and  a 
set  of  available  services  are  given  and  the  system  completes 
the  goal  by  planning  and  service  binding  using  available 
services;  and  (b)  composition  by  workflow  process 
optimization  in  which  the  workflow  with  constraints  is  given 
as  input  and  the  service  composition  and  binding  problem  is 
essentially  a  node-to-service  assignment  problem  as  we 
consider  in  this  paper.  We  formulate  the  problem  of  service 
composition  and  binding  as  a  multi-objective  optimization 
(MOO)  problem  for  maximizing  QoS  and  Qol  (quality-of- 
information)  while  minimizing  service  cost. 

Our  approach  uses  trust  for  making  decisions  on  service 
composition  and  binding.  In  tactical  networks,  collaborating 
with  sufficiently  trustworthy  entities  is  the  key  to  successful 
mission  execution  assuming  that  selected  trustworthy  entities 
are  sufficiently  functional  to  execute  the  given  mission. 
Malicious  nodes  may  provide  false  information  about  service 
metrics;  our  trust-based  assessment  filters  out  these  nodes 
leading  to  successful  task  completion. 

Trust-based  service  composition  and  binding  also  has  been 
studied  in  the  web  services  domain  [2],  [6],  but  only  a  single 
dimension  of  trust  was  considered.  In  order  to  reflect  key 
capabilities  required  for  competing  tactical  missions,  we 
consider  two  key  trust  dimensions,  competence  and  integrity, 
as  the  building  blocks  of  a  “composite”  trust  metric. 

To  the  best  of  our  knowledge,  no  prior  work  has  considered 
incorporating  trust  as  decision  criteria  to  solve  a  service 
composition  and  binding  problem  for  tactical  networks  with 
multiple  objectives.  We  develop  an  Integer  Linear 
Programming  (ILP)  solution  technique  to  solve  this  MOO 
problem. 

The  rest  of  this  paper  is  organized  as  follows.  Section  II 
describes  our  system  model  including  the  tactical  network 
environment,  trust  metric,  the  service  model  and  the  MOO 
problem  definition.  Section  III  describes  the  trust-based  and 
non-trust-based  service  composition  and  service  binding 
protocols.  Section  V  reports  comparative  performance  results 
utilizing  ILP  to  solve  the  MOO  problem  for  both  trust-based 
and  non-trust-based  schemes.  We  also  conduct  sensitivity 
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analyses  to  reveal  design  parameter  settings  under  whieh  the 
performanee  of  our  trust-based  seheme  ean  be  further 
improved.  Seetion  VI  eoneludes  the  paper. 

II.  System  Model 

A.  Tactical  Network  Environments 

We  eonsider  a  taetieal  network  in  whieh  nodes  are 
heterogeneous  sueh  as  sensors,  robots,  unmanned  vehieles  or 
other  deviees,  whieh  may  have  severe  energy  eonstraints  and 
are  mainly  used  for  sensing  and  relaying  data  or  implementing 
aetions  not  suitable  for  human  operators;  nodes  ean  be 
dismounted  soldiers  earrying  sensors  or  handheld  deviees,  or 
manned  vehieles  with  various  types  of  equipment,  whieh 
possess  intelligenee  for  analyzing  data  before  taking  aetions. 
In  this  network  a  node  has  two  roles  in  exeeuting  operations: 
(1)  a  serviee  provider  (SP)  to  support  an  operation;  and  (2)  a 
serviee  requestor  (SR)  to  request  a  serviee  in  the  proeess  of 
initiating  (and  exeeuting)  an  operation.  An  example  operation 
ean  be  target  traeking,  field  surveillanee,  and/or  target 
elassifieation.  Eaeh  operation  may  require  more  than  one 
serviee.  For  example,  target  traeking  requires  serviees  from 
nodes  with  signal  proeessing  power  and  loealization 
eapability.  Field  surveillanee  ean  require  serviees  sueh  as 
multi-modal  signal  proeessing,  data  aggregation,  and  intrusion 
deteetion.  There  may  be  eases  where  two  serviees  should  be 
exeeuted  eoneurrently.  We  denote  the  abstraet  serviees  by  Si, 
S2,...,S,. 

B.  Trust  Metric 

We  use  trust  to  assign  the  right  nodes  as  SPs  to  the  right 
abstraet  serviees.  We  eonsider  composite  trust  eonsisting  of 
competence  and  integrity  as  follows: 

•  Competence:  This  refers  to  an  entity’s  eapability  to  serve 
the  reeeived  request  by  providing  a  satisfaetory  quality. 
This  is  often  affeeted  by  (a)  network  eonditions  sueh  as  link 
failure  or  being  diseonneeted  by  environmental  eonditions 
sueh  as  terrain;  (b)  energy  level  of  a  node  (e.g.,  sensors  vs. 
unmanned  vehieles);  or  eurrent  workload  and  (e)  inherent 
nature  of  a  human  entity  sueh  as  willingness. 

•  Integrity:  This  refers  to  the  degree  to  whieh  a  node 
eomplies  with  a  given  network  protoeol,  not  performing 
network  attaeks  ineluding  self-promotion  attaeks  by 
disseminating  false  information.  That  is,  a  node  may  lie 
about  Qol,  QoS  and  eost  seores  of  its  own  eapability  and  try 
to  inerease  its  ehanee  to  be  ineluded  in  mission  operations 
in  order  to  disrupt  sueeessful  exeeution  of  the  operations. 

We  assume  the  trust  values  are  sealed  in  the  range  of  [0,  1] 

as  a  real  number.  We  denote  the  trust  of  node  j  evaluated  by 
node  i  in  trust  property  X  (i.e.,  eompetenee  or  integrity)  as  Ty . 
The  overall  trust  is  the  average  of  these  two  trust  values  as  we 
eonsider  these  two  trust  dimensions  to  be  equally  important  in 
military  missions.  We  adopt  Bayesian  inferenee  [1],  [7],  [8] 
modeling  trust  by  the  Beta  (a,  P)  distribution  sueh  that  a/(a+P) 
is  the  estimated  trust  of  a  SP  with  a  as  the  number  of  positive 
serviee  experienees  and  p  as  the  number  of  negative  serviee 
experienees,  whieh  are  aeeumulated  by  a  node  as  it  evaluates 
the  serviees  provided  to  it  by  an  SP.  This  trust  value  is 


propagated  to  and  then  aggregated  by  other  nodes  in  the 
system  through  a  trust  propagation  and  aggregation  protoeol 
eharaeterized  by  a  parameter,  T^rr.  representing  the  trust 
estimation  error  or  trust  bias  due  to  trust  propagation  and 
aggregation  as  eaeh  node  updates  other  nodes’  trust  values  in  a 
distributed  manner.  For  a  malieious  node  or  a  bad  node,  the 
worst-ease  is  that  its  trust  is  overestimated  by  T^rr  over  the 
trust  value  propagated.  In  this  paper,  we  test  the  resilieney  of 
the  trust-based  serviee  eomposition  and  binding  protoeol 
against  self-promotion  attaeks  under  the  worst  ease  trust 
overestimation  error  for  bad  nodes. 

C.  Service  Advertisement 

A  node  as  a  SP  ean  use  two  methods  to  advertise  its 
availability  to  provide  serviees  to  the  network:  push  method 
and  pull  method. 

In  the  push  method,  a  node  as  a  SP  eontinuously 
broadeasts  its  availability.  On  the  other  hand,  the  pull  method 
[9],  [10]  enables  a  node  to  advertise  its  serviee  availability 
only  when  a  peer  node  (i.e.,  a  SR)  shows  interest.  That  is,  the 
push  method  is  proaetive  and  eonsumes  more  resourees  while 
the  pull  method  reaetively  serves  upon  request,  trading  off 
delay  for  resouree  eonsumption.  We  adopt  the  pull  method  for 
effieient  resouree  management.  A  SP  responds  with  an 
advertisement  message  only  if  it  is  eapable  of  providing 
serviees  requested  by  a  SR.  The  advertisement  message  Adgp 
eomprises  four-tuple  reeords,  one  for  eaeh  abstraet  serviee  it 
ean  provide  as  follows: 

Adsp:  [k,Qk,Dk,Ck]  forSk  (*) 

Here  we  use  Q,  D,  and  C  to  denote  the  Qol,  delay  (for  QoS) 
and  eost  metries.  The  four-tuple  reeord  for  is:  (a)  k 
indieating  the  index  of  the  servive  Sk  that  the  SP  ean  provide  ; 
(b)  Qk  indieating  the  level  of  Qol  the  SP  ean  provide  for  S^ 
(e)  Dk  indieating  the  level  of  serviee  delay  (for  QoS)  the  SP 
ean  provide  for  Sk;  and  (d)  indieating  the  serviee  eost  the 
SP  will  eonsume  to  provide  Sk-  If  a  SP  ean  provide  multiple 
serviees,  then  it  will  have  a  set  of  four-tuple  reeords  for  eaeh 
abstraet  serviee  that  it  ean  provide.  We  assume  that  the  serviee 
quality  of  a  SP  in  Q,  D  and  C  is  based  on  a  priori  information 
deseribing  a  deviee’s  eapability. 

D.  Dynamic  Service  Composition 

A  taetieal  network  serves  multiple  taetieal  operations, 
eaeh  requiring  a  series  of  abstraet  serviees.  We  use  the 
notation  0^  to  refer  to  operation  m  and  SR^  to  refer  to  the 
serviee  requester  of  operation  m.  In  order  to  exeeute  the  given 
operation,  the  SR  advertises  its  need  for  serviees.  Then, 
available  SPs  send  out  advertisement  messages  (i.e.,  Adgp  as 
shown  in  (1)).  Based  on  the  informed  serviee  availabilities,  the 
SR  eomposes  a  speeifieation  of  the  serviee  requirements  to 
exeeute  the  operation.  We  eall  the  speeifieation  profile  a 
service  composition  specification,  denoted  as  SCS.  It  ineludes 
the  sehedule  of  required  abstraet  serviees,  Sk’s,  and  the 
required  Q,  D  and  C  thresholds  for  eaeh  abstraet  serviee. 
Based  on  the  SCS,  the  SR  proeeeds  with  the  node-to-serviee 
assignment  (NS A)  proeess  to  identify  the  best  SP  set  to 
maximize  performanee  in  terms  of  multiple  objeetives  defined 
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in  subsection  F.  In  Section  III,  we  will  detail  the  process  of 
NSA.  An  example  SCS  is: 

SCS  =  ([So],  [S2,S4],  [S3],  [S7][S4,S8],  [S^]}  (2) 

Here  [S2,S4]  specifies  that  S2  and  S4  are  to  be  executed 
concurrently;  [S3],  [S7]  specifies  that  S3  and  S7  are  to  be 
executed  sequentially.  Each  abstract  service  Sk  is  associated 
with  a  “hard”  threshold  requirement 
STHRES^  (qTHRES  pTHRES  cTHRES  )  specifying  thc  required 

Q,  D  and  C  thresholds  where  is  the  minimum  Q 

threshold,  D™^^^is  the  maximum  D  threshold,  and  is 

the  maximum  C  threshold. 

E.  Service  Binding 

A  node  capable  of  providing  multiple  services  to  an 
operation  can  be  selected  to  execute  multiple  services. 
However,  it  may  not  be  selected  for  executing  concurrent 
services  because  this  may  adversely  affect  the  Q,  D  and  C 
outcomes  due  to  heavy  workload.  If  two  operations  overlap  in 
time  for  service  provision,  a  node  capable  of  providing 
services  to  these  two  operations  can  at  most  choose  one  to 
execute  to  ensure  its  availability  and  commitment  to  a  single 
operation. 

F.  Multiple  Objective  Optimization 

We  consider  three  objectives,  maximizing  Q  while  minimizing 
D  and  C.  These  are  the  key  criteria  to  measure  user  satisfaction. 
A  SR  may  be  a  human  entity  such  as  a  soldier  carrying  devices. 
In  order  to  estimate  the  satisfaction  level  for  the  services 
provided  for  an  operation,  the  SR  can  hold  two  standards:  hard 
standard  vs.  soft  standard.  The  hard  standard  is  the  Q,  D  and 
C  threshold  requirement  for  Sk.  This  is  a  strict  standard 

that  each  service  must  comply  to  meet  user  satisfaction.  If  there 
is  no  SP  available  to  provide  the  service,  or  if  the  SP  selected  to 
provide  the  service  fails  to  meet  the  threshold  requirement,  then 
the  operation  is  regarded  as  having  failed.  The  soft  standard 
measures  user  satisfaction  for  the  provided  services  in  terms  of 
the  overall  Q,  D  and  C  service  levels  achieved,  i.e., 

Qm  =  2  Qm 

i£<S'm 

cS'm  is  the  set  of  abstract  services  requested  by  0^;  Q^,  and 
Cm  are  the  operation-level  Q,  D,  and  C  achieved,  and 
Dm,i  and  Cm,i  are  the  service-level  Q,  D,  and  C  achieved  by 
node  i.  Higher  Q  and  lower  D  and  C  are  desirable. 

We  capture  the  multiple  objectives  into  a  single  scalar 
function  to  be  maximized: 

MOO  =  ^  (Qm  -  Dm  -  Cm)  =  max  Q  -  D  -  C 

meJ 

where  T  is  the  set  of  operations. 

G.  Trust-based  Reward  and  Penalty 

We  use  trust  as  a  reward  (i.e.,  an  incentive)  or  penalty  to  a 
node  that  has  provided  a  service,  since  maintaining  a 
sufficiently  high  trust  level  is  important  for  tactical  operation 
execution. 


■D  =^D  -C 

,1  f  /  ^m,i  f  '-m  /  '-n 


(3) 


An  operation  can  impose  a  minimum  user  satisfaction 
threshold,  denoted  as  UST^.  This  is  to  be  compared  against 
the  user  satisfaction  received  (IISR^),  defined  as: 


USRm  =  Min 


Qtrue  pjadvertised 

m 


■Qadvertised  ’  Qtrue 


^advertised 

'-m 


) 


(5) 


Here  Qadvertised.  D^dvertised  Qadvertised  calculated  by 
(3)  based  on  advertised  Q,  D  and  C  scores,  while  Qm“®.  Dm“® 
and  Cm“®  are  calculated  by  (3)  based  on  true  Q,  D  and  C 
scores.  The  rationale  of  defining  lISR^as  above  is  that  a  user 
(i.e.,  a  SR)  does  not  have  knowledge  of  the  “best”  service 
quality,  so  its  satisfaction  level  with  services  received  is  based 
on  what  has  been  promised  to  be  delivered.  Recall  that 
malicious  nodes  may  perform  self-promotion  attacks  to 
advertise  higher  Q,  and  lower  D  and  C  scores  to  boost  its 
chance  of  node-to-service  assignment.  Since  good  nodes 
always  advertise  true  scores  faithfully,  USRm  =1  if  SR^ 
selects  only  good  nodes  to  provide  services  requested. 

SRm  compares  USTm  against  USRm  to  incentivize  or 
penalize  a  SP  by  increasing  or  decreasing  its  trust.  When  USRm 
exceeds  UST^,  it  is  counted  as  a  positive  experience  and  all 
SPs  in  Om  are  rewarded.  As  described  in  Section  II. B,  the  Beta 
(a,  P)  distribution  is  used  for  trust  assessment  by  the  SRs.  In 
the  case  of  positive  experience,  a  is  incremented  by  1  for  all 
SPs  in  Om  (to  both  integrity  and  competence).  On  the  other 
hand,  when  USRm  is  less  than  USTm,  SR^  identifies  the 
culprits  with  low  performance  (by  comparing  the  advertised 
service  quality  profile  with  the  actual  received  service)  and 
considers  it  a  negative  experience  against  these  culprits.  In  this 
case,  p  is  increased  by  1  for  all  identified  culprits.  Other  SPs 
identified  as  benign  will  not  be  penalized.  Every  node  in  the 
system  keeps  track  of  a  and  p  counts  for  all  SPs  in  the  system. 
The  trust  change  toward  a  SP  will  then  be  propagated  to  make 
it  known  to  other  nodes  in  the  network. 


III.  Service  Composition  and  Binding  Schemes 

Once  the  SCS  for  O^  is  dynamically  formulated  based  on 
service  availability  (i.e.,  available  nodes),  multiple  node-to- 
service  assignment  (NSA)  solutions  may  exist  to  meet  the 
service  requirements  and  constraints  specified.  Which  NSA 
solution  to  pick  depends  on  if  O^  is  standalone.  If  O^  is 
standalone,  the  service  requester  SR^  for  O^  then  chooses  the 
best  NSA  solution  among  all  candidate  solutions  to  maximize 
MOOm  =  Qm  “  Djn  —  Cm-  If  Om  executes  concurrently  with 
some  other  operations  in  a  concurrent  operation  set  C,  then 
SRjn  cooperates  with  other  SRs  in  the  concurrent  operation  set 
to  collectively  choose  the  best  set  of  NSA  solutions  (one  for 
each  operation  in  set  C)  to  maximize  MOO  in  (4)  with  T=C. 
We  propose  two  dynamic  service  composition  and  binding 
schemes,  non-trust-based  and  trust-based,  as  follows: 

•  Non-trust-based\  SR^  selects  the  best  NSA  solution  based 
on  advertised  Q,  D  and  C  scores.  In  this  scheme,  SR^ hilly 
trusts  all  service  advertisements  even  if  malicious  nodes  may 
lie  about  their  Q,  D  and  C  scores.  Objective  metrics, 
Qm,  Dm,  and  Cm,  are  computed  based  on  (3). 

•  Trust-based:  SRm  selects  the  best  NSA  solution  where  each 
objective  is  computed  by  a  trust-weighted  sum.  That  is,  Qm, 
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Dm  and  are  computed  the  same  way  as  in  (3)  except  that 
the  trust  of  SR^  toward  node  i  selected  for  operation 
execution  (i.  e. ,  i)  is  taken  into  consideration  as  follows: 

Qm=  2^(TsR„,iXQ„,i); 

ie<^m 

Dm  =  ^  (Dm,i/TsRni,i)  ^  ^  (Cm,i/TsRm,i) 

ie<?m  i£<^m 

Here  TgR^i  is  the  overall  trust  of  SR^  toward  node  i, 
calculated  by  O.ST^r^  i  +  O-ST^r^  i  assuming  competence  and 
integrity  are  equally  important.  The  benefit  of  the  trust-based 
scheme  is  that  the  advertised  Q,  D  and  C  scores  are  attested  by 
the  trust  levels  of  SPs  evaluated  by  the  SR.  If  all  nodes  are 
trustworthy  with  a  trust  value  of  1,  then  the  trust-based 
solution  reduces  to  the  non- trust-based  solution.  For  the  trust- 
based  scheme,  we  further  introduce  two  trust  thresholds, 
and  for  competence  and  integrity,  respectively,  such  that 
node  i  is  qualified  for  the  execution  of  operation  m  only  if 

Tm  ^  ^  "^SR^  j. 

IV.  Problem  Definition  and  Protocol  Description 

A  given  mission  consists  of  multiple  operations;  an 
operation  requires  a  set  of  abstract  services  some  of  which 
may  need  to  run  concurrently  while  others  must  run 
consecutively.  Services  are  characterized  by  Qol  (Q),  Delay 
(D)  and  Cost  (C)  metrics.  Associated  with  each  requested 
service  in  an  operation  are  thresholds  on  minimum  Qol, 
maximum  delay  and  maximum  cost.  A  node  responsible  for 
an  operation  sends  out  service  requests,  and  available  service 
providers  (SPs)  respond  with  the  Q,  D,  and  C  metrics  for  the 
services  that  they  can  provide.  Given  that  multiple  SPs  may 
meet  the  threshold  criteria,  the  goal  is  to  choose  SPs  so  as  to 
minimize  aggregate  D  and  C  and  maximize  aggregate  Q, 
where  the  aggregation  is  first  over  the  set  of  services 
constituting  an  operation,  and  then  over  the  set  of  operations 
constituting  the  mission.  The  multiple  objectives  are  captured 
by  a  single  scalar  function,  MOO  =  Q  -  D  -  C,  where  Q,  D, 
and  C  are  aggregate  values.  This  is  an  assignment  problem: 
which  SP  should  be  assigned  to  which  abstract  service  in 
which  operation.  Malicious  nodes  may  advertise  false  Q,  D, 
and  C  metrics;  detecting  and  filtering  out  such  nodes  is 
crucial.  The  notion  of  a  user- satisfaction  ratio  is  used  to  mark 
provided  services  as  positive  or  negative;  these  are  then  used 
to  update  the  posterior  distribution  of  trust,  modeled  as  a  Beta 
distribution.  The  mean  of  the  distribution  is  used  as  an 
estimate  of  trust. 

In  the  trust-based  version,  to  be  qualified,  a  SP's  trust  scores 
must  be  above  prescribed  thresholds.  The  service-level 
components  of  Q,  D,  and  C  for  a  given  operation  are  scaled  by 
the  trust  score  for  the  corresponding  SP.  The  idea  is  that  nodes 
that  have  previously  advertised  false  Q,  D,  and  C  metrics  are 
less  trustworthy;  hence,  their  metrics  are  discounted. 


V.  Numerical  Results  and  Analysis 

Our  preliminary  case  study  is  for  a  small  size  problem  with 
15  operations  (|J|=15)  and  60  nodes  (|JV'|=60)  as  SPs  for 
dynamic  service  composition  and  service  binding.  The  15 
operations  are  divided  into  9  sequential  chunks,  i.e.,  {1,  2}, 
{3},  {4,  5},  {6,  7,  8},  {9},  {10},  (11,  12},  {13},  and  {14,  15}. 
For  simplicity,  each  operation  is  composed  of  4  distinct 
abstract  services  (|c5^|=  4)  randomly  selected  from  So  to  Sg. 
Further,  each  SP  is  assumed  to  be  specialized  to  one  abstract 
service  only.  Thus,  a  SP  can  be  assigned  to  at  most  one  service 
in  an  operation.  Furthermore,  for  reliability  reasons,  no  SP  can 
service  more  than  one  operation  concurrently. 

We  consider  a  tactical  network  environment  where  all 
nodes  can  communicate  with  each  other,  so  mobility  is  not  an 
issue  for  communication.  We  set  the  two  trust  thresholds  to 
T^  =  0.5  and  T^  =  0.5,  so  that  every  SP  with  trust  not  less 
than  0.5  will  have  a  chance  to  provide  service.  The  T^j  and  Ty 
values  for  integrity  and  competence  are  set  to  0.5  initially  for 
all  nodes  with  (a=l,  P=l),  meaning  ignorance  (no  knowledge). 
As  node  i  accumulates  positive  and  negative  experiences  for 
services  provided  by  node  j,  node  i  updates  its  trust  toward 
node  j  based  on  trust  penalty/reward  described  in  Section  II. G. 

We  model  the  hostility  of  the  environment  by  the 
percentage  of  malicious  nodes,  denoted  as  Pbad  in  the  range  of 
[0  —  50]%.  The  risk  taking  behavior  of  a  malicious  node  is 
modeled  by  a  percentage  of  boosting  parameter,  Pj-isk-  That  is,  a 
malicious  node  will  boost  its  advertised  Q,  D  and  C  scores  by 
multiplying  its  true  Q,  D  and  C  scores  with  (1+Prisk),  (l“Prisk), 
(l“Prisk),  respectively,  to  increase  its  chance  of  being  selected. 


TABLE  I.  Key  Parameters  and  Defauet  Vaeues/Ranges 


Parameter 

Value 

Parameter 

Value 

Parameter 

Value 

l<5ml 

4 

iji 

10 

0.5 

Terr  /  Pbad 

[0-50%] 

\W\ 

60 

Dgood  !  Cgood 

[1-2] 

Prisk 

[0-100%] 

L- 

0.5 

Dbad  /  Cbad 

[3-5] 

USTni 

[75-100%] 

T-C. 

0.5 

Qbad?  Qgood 

[1-3],  [4-5] 

Table  I  lists  key  parameters  and  their  default  values.  In 
particular,  Qbad,  Dbad  and  Cbad  are  the  true  Q,  D  and  C  scores 
for  bad  nodes,  which  can  be  boosted  during  service 
advertisement.  Qgood?  Dgood  and  Cgood  are  the  true  Q,  D  and  C 
scores  for  good  nodes,  which  will  be  reported  by  good  nodes 
faithfully  during  service  advertisement.  The  Q,  D,  C  values  for 
a  node  are  generated  once  following  uniform  distribution  at 
the  beginning  and  are  not  changed  during  system  operation. 

We  solve  the  dynamic  service  composition  and  service 
binding  MOO  problem  as  defined  in  (4)  with  ILP  techniques. 
The  detail  of  the  ILP  formulation  is  given  in  the  Appendix. 
We  apply  the  ILP  solution  technique  to  both  non- trust-based 
using  Qm,  Dm  and  defined  in  (3),  and  trust-based  using 
Qm,  Dm  and  defined  in  (6).  The  end  product  obtained  by 
using  MATLAB  is  expressed  by  a  decision  variable 
specifying  if  node  j  should  be  assigned  to  abstract  service  Sk 
of  operation  m  so  that  the  MOO  value  defined  in  (4)  is 
maximized.  Dynamic  trust  update  is  implemented  by  an 
iterative  ILP  solution  technique  in  which  the  ILP  solution  is 
applied  sequentially  to  “operation  chunks”  in  time  order  where 
a  chunk  is  defined  as  a  set  of  overlapping  operations. 
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Fig.l.  MOO,  Q,  D  and  C  objective  values  vs.  trust 
estimation  error  (Ten)  under  trust-based  and  non-trust- 
based  schemes. 


Fig.  2.  MOO  value  vs.  percentage  of  bad  nodes 

(Pbad)- 


^risk 


Fig.  3.  Effect  of  risk  taking  by  a  malicious  node 
(Pnsk). 


Depending  on  the  outeome  of  the  user  satisfaetion 
eondition  defined  in  (5),  trust  toward  the  nodes  assigned  to 
exeeute  a  ehunk  is  updated  and  refleeted  as  input  to  the  next 
ILP  exeeution.  The  15  operations  in  our  experiment  require  9 
ILP  exeeutions  sinee  these  15  operations  are  separated  into  9 
non-overlapping  ehunks  in  time  order. 

The  underlying  assumption  of  our  iterative  ILP  solution 
teehnique  is  that  trust  values  are  statie  during  the  exeeution  of 
eaeh  ehunk,  whieh  is  justified  sinee  trust  is  updated  only  after 
a  taetieal  operation  is  exeeuted.  Below  we  report  experimental 
results  obtained  from  ILP  solutions  to  examine  the  effeet  of 
key  parameters,  ineluding  Pbad  (pereentage  of  malieious  nodes), 
Prisk  (level  of  risk  taking  by  a  malieious  node),  USTm  (user 
satisfaetion  threshold),  and  Ten-  (trust  bias).  The  results 
reported  are  based  on  the  average  of  100  runs  with  random 
seeds  to  generate  true  Q,  D  and  C  seores  for  good  and  bad 
nodes.  The  assignments  of  the  speeifie  abstraet  serviee  that 
ean  be  provided  by  eaeh  SP,  the  4  distinet  serviees  that  are 
required  by  eaeh  operation  and  the  bad  node  seleetion  given 
Pbad  as  input  are  also  randomly  generated  but  remain  the  same 
aeross  the  100  runs. 

Fig.  1  eompares  the  two  sehemes  in  terms  of  Q,  D,  C,  and 
MOO  values  for  the  ease  in  whieh  Pbad=  30%,  Prisk  =  70%  and 
USTm=  90%,  with  Terr  Varying  in  the  range  of  0%  to  50%.  The 
effeet  of  Terr  is  modeled  by  trust  overestimation  for  bad  nodes 
to  test  the  resilieney  property  of  the  trust-based  seheme  against 
self-promotion  attaeks.  We  see  that  trust-based  seheme  ean 
still  perform  better  than  the  non-trust-based  seheme  when  the 
trust  estimation  error  is  bounded  within  30%,  that  is,  the  MOO 
and  Q  values  are  higher  while  the  D  and  C  values  are  lower 
beeause  of  its  ability  to  diseem  trustworthy  SPs  from 
untrustworthy  ones.  However,  when  the  trust  estimation  error 
exeeeds  a  threshold  (30%  in  this  ease),  the  advantage  of  trust- 
based  seheme  to  filter  out  untrustworthy  nodes  disappears 
beeause  bad  nodes  (30%  in  this  ease)  may  have  high 
subjeetive  trust  and  ean  be  seleeted  to  exeeute  operations  by 
mistake,  espeeially  if  they  aggressively  lie  about  their  serviee 
quality  (Prisk=70%  in  this  ease).  The  trust  estimation  error  may 
be  introdueed  beeause  of  trust  propagation  and  aggregation 
error.  We  note  that  many  eontemporary  trust  systems  ean  limit 
the  trust  estimation  error  to  3-5%  (e.g.,  [3],  [4],  [5])  whieh  is 
mueh  less  than  the  threshold  of  30%. 


Fig.  2  shows  that  the  performanees  of  both  sehemes 
deteriorate  as  the  pereentage  of  bad  nodes  inereases.  However, 
the  trust-based  seheme  is  able  to  filter  out  bad  nodes 
effeetively  (despite  Terr=20%)  and  is  less  vulnerable  to  bad 
node  population  inerease  eompared  with  the  non-trust-based 
approaeh.  Fig.  3  analyzes  the  effeet  of  P^sk  on  performanee. 
We  observe  a  trend  similar  to  that  in  Fig.  2.  While  the  non¬ 
trust-based  seheme  helplessly  aeeepts  bad  nodes  that  boost 
their  advertised  seores,  the  trust-based  seheme  is  able  to  filter 
out  untrustworthy  nodes  (Terr=20%  in  this  ease). 


Fig.  4.  Effect  of  user  satisfaction  threshold  (USTm). 
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Fig.  5.  User  satisfaction  received  (USRm)  per  operation. 


Fig.  4  examines  the  impaet  of  USTm  on  protoeol 
performanee,  with  UST^  varying  in  the  range  of  75%-100%. 
Fig.  5  eompares  USRm  on  an  operation  by  operation  basis  in 
time  order  for  the  trust-based  seheme  operating  at  USTm=75% 
and  90%  against  the  non-trust-based  seheme.  We  eonsider  a 
eombination  of  Pi-isk=70%,  Pbad=30%  and  Terr=20%  to  reveal 
interesting  trends.  Beeause  of  high  Pj-isk  and  Terr,  the  trust- 
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based  scheme  is  fooled  into  selecting  bad  nodes  in  the  first 
few  operations.  So  the  first  8  operations  do  not  pass  the  user 
satisfaction  threshold.  As  a  result,  bad  nodes  selected  to 
provide  services  in  the  first  8  operations  are  penalized  with 
trust  decrease  and  likely  to  be  filtered  out  from  later  operations. 
This  is  evidenced  by  the  result  that  the  last  7  operations  have 
high  USRm  values.  We  see  that  IISR^  values  in  the  last  7 
operations  under  USTin=90%  are  higher  than  those  under 
USTin=75%  because  a  higher  user  satisfaction  threshold  tends 
to  cause  more  negative  experiences  and  thus  induces  more 
trust  penalty  to  be  applied  to  bad  nodes.  In  particular,  IISR^  is 
close  to  100%  for  3  of  the  last  7  operations  when  USTin=90% 
because  only  good  nodes  are  being  selected  by  the  trust-based 
scheme  due  to  dynamic  trust  update.  On  the  contrary,  the  non¬ 
trust-based  scheme  consistently  yields  a  low  IISR^  operation 
by  operation  because  it  has  no  effective  way  of  filtering  out 
bad  nodes.  Overall,  the  MOO  function  value  increases  (and 
levels  off)  as  USTm  increases  as  demonstrated  in  Fig.  4.  This 
trend  supports  our  claim  that  the  trust  based  scheme  can 
effectively  achieve  high  user  satisfaction  for  MOO  service 
quality  despite  the  presence  of  bad  nodes  performing  self¬ 
promotion  attacks,  especially  after  the  system  runs  through  the 
first  few  operations  to  stabilize  trust  update. 

VI.  Conclusion 

We  proposed  a  trust-based  service  composition  and  service 
binding  protocol  for  a  tactical  network  where  we  are 
concerned  with  multi-objective  optimization.  By  utilizing  an 
iterative  integer  linear  programming  solution  technique  for 
solving  both  trust-based  and  non-trust-based  optimization 
problems,  we  demonstrate  that  our  trust-based  scheme 
outperforms  the  non-trust-based  counterpart  in  user 
satisfaction.  Furthermore,  our  trust-based  scheme  can 
effectively  penalize  malicious  nodes  performing  self¬ 
promotion  attacks,  effectively  filtering  out  malicious  nodes, 
and  can  ultimately  lead  to  high  user  satisfaction. 

Appendix 

In  this  appendix,  we  provide  the  implementation  detail  of 
the  ILP  solution  technique  for  solving  the  node-to-service 
MOO  assignment  problem. 


TABLE  II.  Variable  Definitions  for  ILP 


Variable 

Definition 

o 

< 

1  if  operations  p  and  q  are  overlapping  in  time;  0 
otherwise 

Sj,k 

1  if  node  j  ean  provide  abstraet  serviee  k;  0  otherwise 

1 ,  if  operation  m  requires  abstraet  serviee  k; 

0,  otherwise 

1:1:  j,m 

1  if  j  and  Ti,  <  j;  0  otherwise 

l:Oj,k,m 

Sj,k  ^  l^k,m  ^  l:l:j>m 

^j,k,m 

1  if  node  j  is  assigned  to  serviee  k  in  operation  m;  0 
otherwise  (output) 

Table  II  defines  the  variables  used  in  the  ILP  formulation. 
The  binary  variables  oVp  q,  Sj  k,  ttj,m  summarize  the 

service  composition  specifications  for  the  operations  as  well  as 
status  and  capability  of  the  nodes,  given  as  input  to  the  ILP. 


There  is  only  one  decision  variable,  namely,  Wj  to  be 
determined  by  the  ILP,  specifying  if  node  j  should  be  assigned 
to  abstract  service  k  of  operation  m.  The  ILP  will  search  for  an 
optimal  solution  of  for  all  j’s,  k’s  and  m’s  to  maximize 
MOO  in  both  trust-based  and  non-trust-based  schemes.  The 
objective  function  MOO=  “  f^m  “  Cm)  as  defined  by 

(3),  (4)  and  (6)  can  be  computed  as  a  linear  function  of 
(the  only  decision  variable  to  be  decided  by  the  ILP).  The 
service-to-node  assignment  MOO  problem  is  formulated  as 
follows: 

Given.  T,  JST,  oVp  q,  Sj  ,ff  j  m 

Find:  Wj 

Maximize:  SmejCQm  “  Dm  “  ^m) 

Subject  to:  Vj  V{p,  q}  oVp  q  x  (w^xp  +  ^j,kq  )  ^  1; 

Hj  =  irik,m;  Wj,k,m  ^  fOj  k,m 
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